Getting Data In

Issue with configuring forwarder



I had configured my universal forwarder on production by adding conf files ie. inputs.conf,outputs.conf and deploymentclient.conf in etc/system/local folder.

Now I want to make changes( like monitoring path etc) on conf files through deployment server by using deployment-app.

I tried this scenario in my local but it not overriding my existing configuration and more its monitoring older path as well as newer path. Might it was not orderride but it is merged.

Please suggest me any solution.

0 Karma

Splunk Employee
Splunk Employee

The apps created in the folder $SPLUNK_HOME/etc/deployment-apps on the deployment server, and defined in the serverclass.conf (or in the forwarder manager page) will be deployed to the deployment-clients in $SPLUNK_HOME/etc/apps.
Therefore they will never replace the configs from $SPLUNK_HOME/etc/system/local.

For details about the deployment server, follow the docs

Check if the apps have been deployed, If you are not sure of the precedence between the configurations, use the btool command to check the result.
precedence rules :

0 Karma

Super Champion

When it comes to directory monitoring behavior, you cannot override the system\local folder - it has the highest priority - see the link YannK posted.
Correct, if you want to have something controlled by a deployment server, then you should not have placed the configuration in system\local.

0 Karma


Thanks for answer.

If we need option of updating confs files from deployment server then we didnot need to add this files in system/local folder. right ?

Or Is there any way to override system/local files from deployment server then please let me know

0 Karma


It not mach different but now i am facing this issue for all conf files.

Please suggest me resolution or best practice

0 Karma

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!